Model Checking
description
Transcript of Model Checking
![Page 2: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/2.jpg)
Modelling and specification for verification and validation How to specify what the software
is supposed to do? How to model it in a way that
allows us to check it?
![Page 3: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/3.jpg)
Sequential systems. Perform some computational task. Have some initial condition, e.g.,0in A[i] integer.
Have some final assertion, e.g., 0in-1 A[i]A[i+1].(What is the problem with this spec?)
Are supposed to terminate.
![Page 4: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/4.jpg)
Concurrent SystemsInvolve several computation agents.Termination may indicate an abnormal
event (interrupt, strike).May exploit diverse computational
power.May involve remote components.May interact with users (Reactive).May involve hardware components
(Embedded).
![Page 5: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/5.jpg)
Problems in modeling systems Representing concurrency:
- Allow one transition at a time, or- Allow coinciding transitions.
Granularity of transitions. Assignments and checks? Application of methods?
Global (all the system) or local (one thread at a time) states.
![Page 6: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/6.jpg)
Modeling.The states based model.
V={v0,v1,v2, …} - set of variables. p(v0, v1, …, vn) - a parametrized assertion, e.g.,
v0=v1+v2 /\ v3>v4. A state is an assignment of values to the
program variables. For example: s=<v0=1,v2=3,v3=7,…,v18=2>
For predicate (first order assertion) p: p (s ) is p under the assignment s.Example: p is x>y /\ y>z. s=<x=4, y=3, z=5>.Then we have 4>3 /\ 3>5, which is false.
![Page 7: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/7.jpg)
State space
The state space of a program is the set of all possible states for it.
For example, if V={a, b, c} and the variables are over the naturals, then the state space includes: <a=0,b=0,c=0>,<a=1,b=0,c=0>, <a=1,b=1,c=0>,<a=932,b=5609,c=6658>…
![Page 8: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/8.jpg)
Atomic Transitions
Each atomic transition represents a small piece of code such that no smaller piece of code is observable.
Is a:=a+1 atomic? In some systems, e.g., when a is a
register and the transition is executed using an inc command.
![Page 9: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/9.jpg)
Non atomicity
Execute the following when x=0 in two concurrent processes:
P1:a=a+1 P2:a=a+1 Result: a=2. Is this always the
case?
Consider the actual translation:
P1:load R1,a inc R1 store R1,aP2:load R2,a inc R2 store R2,a a may be also 1.
![Page 10: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/10.jpg)
Scenario
P1:load R1,a
inc R1
store R1,a
P2:load R2,a
inc R2 store R2,a
a=0
R1=0
R2=0
R1=1
R2=1
a=1
a=1
![Page 11: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/11.jpg)
Representing transitions Each transition has two parts:
The enabling condition: a predicate. The transformation: a multiple assignment.
For example:a>b (c,d):=(d,c)This transition can be executed in states where a>b. The result of executing it isswitching the value of c with d.
![Page 12: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/12.jpg)
Initial condition
A predicate I. The program can
start from states s such that I (s ) holds.
For example:I (s )=a>b /\ b>c.
![Page 13: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/13.jpg)
A transition system A (finite) set of variables V over
some domain. A set of states . A (finite) set of transitions T, each
transition et has an enabling condition e, and a transformation t.
An initial condition I.
![Page 14: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/14.jpg)
Example V={a, b, c, d, e}. : all assignments of natural
numbers for variables in V. T={c>0(c,e):=(c-1,e+1),
d>0(d,e):=(d-1,e+1)} I : c=a /\ d=b /\ e=0 What does this transition system do?
![Page 15: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/15.jpg)
The interleaving model An execution is a finite or infinite
sequence of states s0, s1, s2, … The initial state satisfies the initial
condition, I.e., I (s0). Moving from one state si to si+1 is by
executing a transition et: E (si ), I.e., si satisfies e. si+1 is obtained by applying t to si.
![Page 16: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/16.jpg)
Example:
s0=<a=2, b=1, c=2, d=1, e=0>
s1=<a=2, b=1, c=1, d=1, e=1>
s2=<a=2, b=1, c=1, d=0, e=2>
s3=<a=2, b=1 ,c=0, d=0, e=3>
T={c>0(c,e):=(c-1,e+1),
d>0(d,e):=(d-1,e+1)}
I: c=a /\ d=b /\ e=0
![Page 17: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/17.jpg)
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0 PC0:=CR0T2:PC0=CR0 (PC0,Turn):=(L0,1)T3:PC1=L1PC1=NC1T4:PC1=NC1/\Turn=1 PC1:=CR1T5:PC1=CR1 (PC1,Turn):=(L1,0)
Initially: PC0=L0/\PC1=L1
The transitions
![Page 18: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/18.jpg)
The state graph:Successor relation between states.Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 19: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/19.jpg)
Some observations Executions : the set of maximal paths
(finite or terminating in a node where nothing is enabled).
Nondeterministic choice : when more than a single transition is enabled at a given state. We have a nondeterministic choice when at least one node at the state graph has more than one successor.
![Page 20: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/20.jpg)
Always ¬(PC0=CR0/\PC1=CR1)(Mutual exclusion)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 21: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/21.jpg)
Always if Turn=0 the at some point Turn=1Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 22: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/22.jpg)
Always if Turn=0 the at some point Turn=1Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 23: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/23.jpg)
Interleaving semantics:Execute one transition at a time.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Need to check the propertyfor every possible interleaving!
![Page 24: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/24.jpg)
Interleaving semanticsTurn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Turn=0L0,L1
Turn=0L0,NC1
![Page 25: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/25.jpg)
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0PC0:=CR0T1’:PC0=NC0/\
Turn=1PC0:=NC0T2:PC0=CR0(PC0,Turn):=(L0,1)
T3:PC1==L1PC1=NC1T4:PC1=NC1/\Turn=1PC1:=CR1T4’:PC1=NC1/\Turn=0PC1:=N1T5:PC1=CR1(PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1
Busy waiting
![Page 26: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/26.jpg)
Always when Turn=0 then sometimes Turn=1Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
Now it does not hold!(Red subgraph generates a counterexample execution.)
![Page 27: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/27.jpg)
How can we check the model?
The model is a graph. The specification should refer the
the graph representation. Apply graph theory algorithms.
![Page 28: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/28.jpg)
What properties can we check?
Invariants: a property that need to hold in each state.
Deadlock detection: can we reach a state where the program is blocked?
Dead code: does the program have parts that are never executed.
![Page 29: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/29.jpg)
How to perform the checking?
Apply a search strategy (Depth first search, Breadth first search).
Check states/transitions during the search.
If property does not hold, report counter example!
![Page 30: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/30.jpg)
If it is so good, why learn deductive verification methods?
Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures:
queues trees stacks
parametric algorithms and systems.
![Page 31: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/31.jpg)
The state space explosion Need to represent the state space of a
program in the computer memory. Each state can be as big as the entire
memory! Many states:
Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities.
In concurrent protocols, the number of states usually grows exponentially with the number of processes.
![Page 32: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/32.jpg)
If it is so constrained, is it of any use?
Many protocols are finite state. Many programs or procedure are finite
state in nature. Can use abstraction techniques.
Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving.
Many techniques to reduce the state space explosion.
![Page 33: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/33.jpg)
Depth First Search
Program DFSFor each s such that
Init(s) dfs(s)end DFS
Procedure dfs(s)for each s’ such
that R(s,s’) do
If new(s’) then dfs(s’)
end dfs.
![Page 34: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/34.jpg)
How can we check properties with DFS?
Invariants: check that all reachable statessatisfy the invariant property. If not, showa path from an initial state to a bad state.
Deadlocks: check whether a state where noprocess can continue is reached.
Dead code: as you progress with the DFS, mark all the transitions that are executed at least once.
![Page 35: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/35.jpg)
¬(PC0=CR0/\PC1=CR1) is an invariant!Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 36: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/36.jpg)
Want to do more!
Want to check more properties. Want to have a unique algorithm to
deal with all kinds of properties. This is done by writing specification
in more complicated formalisms. We will see that in the next lecture.
![Page 37: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/37.jpg)
[](Turn=0 --> <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 38: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/38.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
![Page 39: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/39.jpg)
Turn=0L0,L1
Turn=1L0,L1
init
•Add an additional initial node.
•Propositions are attached to incoming nodes.
•All nodes are accepting.
Turn=1L0,L1
Turn=0L0,L1
![Page 40: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/40.jpg)
Correctness condition
We want to find a correctness condition for a model to satisfy a specification.
Language of a model: L(Model) Language of a specification: L(Spec).
We need: L(Model) L(Spec).
![Page 41: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/41.jpg)
Correctness
All sequences
Sequences satisfying Spec
Program executions
![Page 42: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/42.jpg)
How to prove correctness?
Show that L(Model) L(Spec). Equivalently: ______
Show that L(Model) L(Spec) = Ø. Also: can obtain L(Spec) by
translating from LTL!
![Page 43: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/43.jpg)
What do we need to know?
How to intersect two automata? How to complement an
automaton? How to translate from LTL to an
automaton?
![Page 44: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/44.jpg)
Specification Formalisms
![Page 45: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/45.jpg)
Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct. Spec. of reasonable size. Effective.
Check that there are no contradictions. Check that the spec. is implementable. Check that the implementation satisfies spec.
Expressive. May be used to generate initial code.Specifying the implementation or its
properties?
![Page 46: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/46.jpg)
A transition system A (finite) set of variables V. A set of states . A (finite) set of transitions T, each transition
e==>t has an enabling condition e and a
transformation t. An initial condition I. Denote by R(s, s’) the fact that s’ is a
successor of s.
![Page 47: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/47.jpg)
The interleaving model An execution is a finite or infinite sequence of states
s0, s1, s2, … The initial state satisfies the initial condition, I.e., I (s0). Moving from one state si to si+1 is by executing a
transition e==>t: e(si), I.e., si satisfies e. si+1 is obtained by applying t to si.
Lets assume all sequences are infinite by extending finite ones by “stuttering” the last state.
![Page 48: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/48.jpg)
Temporal logic Dynamic, speaks about several “worlds”
and the relation between them. Our “worlds” are the states in an
execution. There is a linear relation between them,
each two sequences in our execution are ordered.
Interpretation: over an execution, later over all executions.
![Page 49: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/49.jpg)
LTL: Syntax ::= () | ¬ | /\ \/ U |O | p
“box”, “always”, “forever”“diamond”, “eventually”,
“sometimes”O “nexttime”U“until”Propositions p, q, r, … Each represents some
state property (x>y+1, z=t, at-CR, etc.)
![Page 50: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/50.jpg)
Semantics over suffixes of execution
O
U
![Page 51: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/51.jpg)
Combinations
[]<>p “p will happen infinitely often”
<>[]p “p will happen from some point forever”.
([]<>p) --> ([]<>q) “If p happens infinitely often, then q also happens infinitely often”.
![Page 52: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/52.jpg)
Some relations: [](a/\b)=([]a)/\([]b) But <>(a/\b)(<>a)/\(<>b)
<>(a\/b)=(<>a)\/(<>b) But [](a\/b)([]a)\/([]b)
ab
aa abb b bab
![Page 53: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/53.jpg)
What about ([]<>A)/\([]<>B)=[]<>(A/\B)? ([]<>A)\/([]<>B)=[]<>(A\/B)? (<>[]A)/\(<>[]B)=<>[](A/\B)? (<>[]A)\/(<>[]B)=<>[](A\/B)?
No, just <--Yes!!!Yes!!!No, just -->
![Page 54: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/54.jpg)
Can discard some operators Instead of <>p, write true U p. Instead of []p, we can write
¬<>¬p,or ¬(true U ¬p).Because []p=¬¬[]p.¬[]p means it is not true that p holds forever, or at some point ¬p holds or <>¬p.
![Page 55: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/55.jpg)
Formal semantic definition Let be a sequence s0 s1 s2 … Let i be a suffix of : si si+1 si+2 … (0 = ) i |= p, where p a proposition, if si|=p. i |= /\ if i |= and i |= . i |= \/ if i |= or i |= . i |= <> if for some ji, j |= . i |= [] if for each ji, j |= . i |= U if for some ji, j|=
and for each ik<j, k |=.
![Page 56: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/56.jpg)
Then we interpret: s|=p as in propositional logic. |= is interpreted over a
sequence, as in previous slide. P|=holds if |= for every
sequence of P.
![Page 57: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/57.jpg)
Spring Example
s1 s3s2pull
release
releaseextended
malfunction
extended
r0 = s1 s2 s1 s2 s1 s2 s1 …r1 = s1 s2 s3 s3 s3 s3 s3 …r2 = s1 s2 s1 s2 s3 s3 s3 ……
![Page 58: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/58.jpg)
LTL satisfaction by a single sequence
malfunction
s1 s3s2pull
release
releaseextende
dextended
r2 = s1 s2 s1 s2 s3 s3 s3 …
r2 |= extended ??r2 |= O extended ??r2 |= O O extended ??r2 |= <> extended ??r2 |= [] extended ??
r2 |= <>[] extended ??r2 |= ¬ <>[] extended ??r2 |= (¬extended) U malfunction ??r2 |= [](¬extended->O extended) ??
![Page 59: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/59.jpg)
LTL satisfaction by a system
malfunction
s1 s3s2pull
release
releaseextende
dextended
P |= extended ??P |= O extended ??P |= O O extended ??P |= <> extended ??P|= [] extended ??
P |= <>[] extended ??P |= ¬ <>[] extended ??P |= (¬extended) U malfunction ??P |= [](¬extended->O extended) ??
![Page 60: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/60.jpg)
The state space
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 61: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/61.jpg)
[] ¬(PC0=CR0/\PC1=CR1)(Mutual exclusion)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 62: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/62.jpg)
[](Turn=0 --> <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 63: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/63.jpg)
Interleaving semantics:Execute one transition at a time.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Need to check the propertyfor every possible interleaving!
![Page 64: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/64.jpg)
More specifications [](PC0=NC0 <> PC0=CR0) [](PC0=NC0 U Turn=0) Try at home:
- The processes alternate in entering their critical sections.- Each process enters its critical section infinitely often.
![Page 65: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/65.jpg)
Proof system ¬<>p<-->[]¬p [](pq)([]p[]q) []p(p/\O[]p) O¬p<-->¬Op [](pOp)(p[]p) (pUq)<-->(q\/(p/\
O(pUq))) (pUq)<>q
+ propositional logic axiomatization.
+ axiom: p []p
![Page 66: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/66.jpg)
Traffic light example
Green --> Yellow --> Red --> GreenAlways has exactly one light:[](¬(gr/\ye)/\¬(ye/\re)/\¬(re/\gr)/\(gr\/ye\/re))Correct change of color:[]((grUye)\/(yeUre)\/(reUgr))
![Page 67: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/67.jpg)
Another kind of traffic lightGreen-->Yellow-->Red-->Yellow-->GreenFirst attempt:[](((gr\/re) U ye)\/(ye U (gr\/re)))
Correct specification:[]( (gr-->(gr U (ye /\ ( ye U re )))) /\(re-->(re U (ye /\ ( ye U gr )))) /\(ye-->(ye U (gr \/ re))))
Needed only when wecan start with yellow
![Page 68: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/68.jpg)
Properties of sequential programs init-when the program starts and
satisfies the initial condition. finish-when the program terminates
and nothing is enabled. Partial correctness: init/\[](finish) Termination: init/\<>finish Total correctness: init/\<>(finish/\ ) Invariant: init/\[]
![Page 69: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/69.jpg)
Automata over finite words A=<, S, , I, F> (finite) the alphabet, S (finite) the
states. : S x x S is the transition relation I : S are the starting states F: S are the accepting states.
a
a
bbS0 S1
![Page 70: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/70.jpg)
The transition relation
(S0, a, S0) (S0, b, S1) (S1, a, S0) (S1, b, S1)
a
a
bbS0 S1
![Page 71: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/71.jpg)
A run over a word A word over , e.g., abaab. A sequence of states, e.g. S0 S0 S1 S0
S0 S1. Starts with an initial state. Accepting if ends at accepting state.
a
a
bbS0 S1
![Page 72: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/72.jpg)
The language of an automaton The words that are accepted by the automaton. Includes aabbba, abbbba. Does not include abab, abbb. What is the language?
a
a
bbS0 S1
![Page 73: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/73.jpg)
Nondeterministic automaton
Transitions: (S0,a,S0), (S0,b,S0), (S0,a,S1),(S1,a,S1).
What is the language of this automaton?
A,b aaS0 S1
![Page 74: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/74.jpg)
Equivalent deterministic automaton
a,b aaS0 S1
b
aaS0 S1
b
![Page 75: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/75.jpg)
Automata over infinite words Similar definition. Runs on infinite words over . Accepts when an accepting state
occurs infinitely often in a run.
a
a
bbS0 S1
![Page 76: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/76.jpg)
Automata over infinite words
Consider the word a b a b a b a b … There is a run S0 S0 S1 S0 S1 S0 S1
… This run in accepting, since S0 appears
infinitely many times.
A
A
BBS0 S1
![Page 77: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/77.jpg)
Other runs For the word b b b b b … the run is
S0 S1 S1 S1 S1… and is not accepting. For the word a a a b b b b b …, the
run is S0 S0 S0 S0 S1 S1 S1 S1 … What is the run for a b a b b a b b b …?
a
a
bbS0 S1
![Page 78: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/78.jpg)
Nondeterministic automaton What is the language of this
automaton? What is the LTL specification if
b -- PC0=CR0, a=¬b?
a,b aaS0 S1
•Can you find a deterministic automaton with same language?•Can you prove there is no such deterministic automaton?
![Page 79: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/79.jpg)
Specification using Automata Let each letter correspond to some
propositional property. Example: a -- P0 enters critical section,
b -- P0 does not enter section. []<>PC0=CR0
a
a
bbS0 S1
![Page 80: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/80.jpg)
Mutual Exclusion A -- PC0=CR0/\PC1=CR1 B -- ¬(PC0=CR0/\PC1=CR1) C -- TRUE []¬(PC0=CR0/\PC1=CR1)
b acS0 S1
![Page 81: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/81.jpg)
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0==>PC0=NC0T1:PC0=NC0/\Turn=0==> PC0:=CR0T2:PC0=CR0==> (PC0,Turn):=(L0,1)T3:PC1==L1==>PC1=NC1T4:PC1=NC1/\Turn=1==> PC1:=CR1T5:PC1=CR1==> (PC1,Turn):=(L1,0)
Initially: PC0=L0/\PC1=L1
![Page 82: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/82.jpg)
The state spaceTurn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 83: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/83.jpg)
[]¬(PC0=CR0/\PC1=CR1)Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 84: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/84.jpg)
[](Turn=0 --> <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 85: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/85.jpg)
Correctness condition
We want to find a correctness condition for a model to satisfy a specification.
Language of a model: L(Model) Language of a specification: L(Spec).
We need: L(Model) L(Spec).
![Page 86: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/86.jpg)
Correctness
All sequences
Sequences satisfying Spec
Program executions
![Page 87: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/87.jpg)
Incorrectness
All sequences
Sequences satisfying Spec
Program executions
Counterexamples
![Page 88: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/88.jpg)
Intersecting M1=(S1,,T1,I1,A1) and M2=(S2,,T2,I2,S2)
Run the two automata in parallel. Each state is a pair of states: S1 x S2 Initial states are pairs of initials: I1 x
I2 Acceptance depends on first
component: A1 x S2 Conforms with transition relation:
(x1,y1)-a->(x2,y2) whenx1-a->x2 and y1-a->y2.
![Page 89: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/89.jpg)
Example (all states of second automaton accepting!)
a
bct0 t1
a
a
b,cb,cs0 s1
States: (s0,t0), (s0,t1), (s1,t0), (s1,t1).
Accepting: (s0,t0), (s0,t1). Initial: (s0,t0).
![Page 90: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/90.jpg)
a
bct0 t1
a
a
b,cb,cs0 s1
s0,t0
s0,t1
s1,t1
s1,t0b
b
a
c
a
c
Also state (s0,t1) is unreachable but we will keep it for thetime being!
![Page 91: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/91.jpg)
More complicated when A2S2
a
bct0 t1
a
a
b,cb,cs0 s1
Should we have acceptance when both components accepting? I.e., {(s0,t1)}?
No, consider (ba)
It should be accepted, but never passes that state.
s0,t0s0,t1
s1,t1
b
a
ca
c
![Page 92: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/92.jpg)
More complicated when A2S2
a
bct0 t1
A
a
b,cb,cs0 s1
Should we have acceptance when at least one components is accepting? I.e., {(s0,t0),(s0,t1),(s1,t1)}?No, consider b c
It should not be accepted, but here will loop through (s1,t1)
s0,t0s0,t1
s1,t1
b
c
a
ca
![Page 93: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/93.jpg)
Intersection - general caseAlso: propositions on nodes
q0 q2
q3q1
A/\¬Bq0,q3
¬A/\¬Bq1,q3
¬A/\Bq1,q2
A/\¬B
¬A
¬A/\B
A\/¬B
q0 and q2 give false.
![Page 94: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/94.jpg)
Version 0: to catch q0Version 1: to catch q2
A/\¬Bq0,q3
¬A/\¬Bq1,q3
¬A/\Bq1,q2
A/\¬Bq0,q3
¬A/\¬Bq1,q3
¬A/\Bq1,q2
Move when see accepting of left (q0)
Move when see accepting of right (q2)
Version 0
Version 1
![Page 95: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/95.jpg)
Make an accepting state in one of the version according to a component accepting state
A/\¬Bq0,q3,0
¬A/\¬Bq1,q3,0
¬A/\Bq1,q2,0
A/\¬Bq0,q3,1
¬A/\¬Bq1,q3 ,1
¬A/\Bq1,q2 ,1
Version 1
Version 0
![Page 96: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/96.jpg)
How to check for emptiness?
s0,t0
s0,t1
s1,t1
b
b
a
c
a
c
![Page 97: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/97.jpg)
Emptiness...
Need to check if there exists an accepting run (passes through an accepting state infinitely often).
![Page 98: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/98.jpg)
Finding accepting runs
If there is an accepting run, then at least one accepting state repeats on it forever. This state appears on a cycle. So, find a reachable accepting state on a cycle.
![Page 99: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/99.jpg)
Equivalently... A strongly connected component:
a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.
![Page 100: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/100.jpg)
How to complement? Complementation is hard! Can ask for the negated property (the
sequences that should never occur). Can translate from LTL formula to
automaton A, and complement A. But:can translate ¬ into an automaton directly!
![Page 101: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/101.jpg)
Model Checking under FairnessExpress the fairness as a property φ.
To prove a property ψ under fairness,model check φψ.
Fair (φ)
Bad (¬ψ) Program
Counterexample
![Page 102: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/102.jpg)
Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either
it contains on occurrence of a transition from P, or
it contains a state where P is disabled.
![Page 103: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/103.jpg)
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;boolean c2 initially 1;integer (1..2) turn initially 1;
![Page 104: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/104.jpg)
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;boolean c2 initially 1;integer (1..2) turn initially 1;
c1=c2=0,turn=1
![Page 105: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/105.jpg)
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;boolean c2 initially 1;integer (1..2) turn initially 1;
c1=c2=0,turn=1
![Page 106: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/106.jpg)
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
P1 waits for P2 to set c2 to 1 again.Since turn=1 (priority for P1), P2 is ready to do that. But never gets the chance, since P1 is constantly active checking c2 in its while loop.
c1=c2=0,turn=1
![Page 107: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/107.jpg)
What went wrong? The execution is unfair to P2.
It is not allowed a chance to execute.
Such an execution is due to the interleaving model (just picking an enabled transition.
If it did, it would continue and set c2 to 0, which would allow P1 to progress.
Fairness = excluding some of the executions in the interleaving model, which do not correspond to actual behavior of the system.
while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end
![Page 108: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/108.jpg)
Recall:The interleaving model An execution is a finite or infinite sequence of states s0, s1,
s2, … The initial state satisfies the initial condition, I.e., I (s0). Moving from one state si to si+1 is by executing a transition
et: e(si), I.e., si satisfies e. si+1 is obtained by applying t to si.
Now: consider only “fair” executions. Fairness constrains sequences that are considered to be executions.
Fair executions
SequencesExecutions
![Page 109: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/109.jpg)
Some fairness definitions Weak transition fairness:
It cannot happen that a transition is enabled indefinitely, but is never executed.
Weak process fairness: It cannot happen that a process is enabled indefinitely, but non of its transitions is ever executed
Strong transition fairness:If a transition is infinitely often enabled, it will get executed.
Strong process fairness:If at least one transition of a process is infinitely often enabled, a transition of this process will be executed.
![Page 110: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/110.jpg)
How to use fairness constraints? Assume in the negative that some
property (e.g., termination) does not hold, because of some transitions or processes prevented from execution.
Show that such executions are impossible, as they contradict fairness assumption.
We sometimes do not know in reality which fairness constraint is guaranteed.
![Page 111: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/111.jpg)
ExampleP1::x=1 P2: do
:: y==0 if
:: true :: x==1 y=1
fi od
Initially: x=0; y=0;
In order for the loop to terminate we need P1 to execute the assignment. But P1 may never execute, since P2 is in a loop executing true. Consequently, x==1 never holds, and y is never assigned a 1.
pc1=l0-->(pc1,x):=(l1,1) /* x=1 */pc2=r0/\y=0-->pc2=r1 /* y==0*/pc2=r1pc2=r0 /* true */pc2=r1/\x=1(pc2,y):=(r0,1) /* x==1 --> y:=1 */
![Page 112: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/112.jpg)
Weak transition fairness
P1::x=1 P2: do :: y==0
if :: true
:: x==1 y=1
fi od
Initially: x=0; y=0;
Under weak transition fairness, P1 would assign 1 to x, but this does not guarantee that 1 is assigned to y and thus the P2 loop will terminates, since the transition for checking x==1 is not continuously enabled (program counter not always there).
Weak process fairness only guarantees P2 to execute, but it can still choose to do the true.Strong process fairness: same.
![Page 113: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/113.jpg)
Strong transition fairness
P1::x=1 P2: do :: y==0
if :: true
:: x==1 y=1 fi
od
Initially: x=0; y=0;
Under strong transition fairness, P1 would assign 1 to x. If the execution was infinite, the transition checking x==1 was infinitely often enabled. Hence it would be eventually selected. Then assigning y=1, the main loop is not enabled anymore.
![Page 114: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/114.jpg)
Some fairness definitions Weak transition fairness:
/\ T (<>[]en []<>exec).
Equivalently: /\aT ¬<>[](en /\¬exec) Weak process fairness:
/\Pi (<>[]enPi []<>execPi ) Strong transition fairness:
/\ T ([]<>en []<>exec ) Strong process fairness:
/\Pi ([]<>enPi []<>execPi )
exec is executed.
execPi some transition of Pi is executed.
en is enabled.
enPi some transition of process Pi is enabled.
enPi = \/ T en
execPi = \/ T exec
![Page 115: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/115.jpg)
“Weaker fairness condition”
A is weaker than B if BA. Consider the executions
L(A) and L(B).Then L(B) L(A).
An execution is strong {process,transition} fair implies that it is also weak {process,transition} fair.
There are fewer strong {process,transition} fair executions.
Strongtransitionfair execs
Weakprocess
fair execs
Weaktransitionfair execs
Strongprocess
fair execs
![Page 116: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/116.jpg)
Model Checking under fairness Instead of verifying that the program
satisfies , verify it satisfies fair Problem: may be inefficient. Also
fairness formula may involves special arrangement for specifying what exec means.
May specialize model checking algorithm instead.
![Page 117: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/117.jpg)
Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either
it contains on occurrence of a transition from P, or
it contains a state where P is disabled.
Weak transition fairness: similar. Strong fairness: much more difficult
algorithm.
![Page 118: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/118.jpg)
Abstractions
![Page 119: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/119.jpg)
Problems with software analysis Many possible outcomes and
interactions. Not manageable by an algorithm
(undecideable, complex). Requires a lot of practice and
ingenuity (e.g., finding invariants).
![Page 120: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/120.jpg)
More problems
Testing methods fail to cover potential errors. Deductive verification techniques require
too much time, mathematical expertise, ingenuity.
Model checking requires a lot of time/space and may introduce modeling errors.
![Page 121: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/121.jpg)
How to alleviate the complexity? Abstraction Compositionality Partial Order Reduction Symmetry
![Page 122: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/122.jpg)
Abstraction
Represent the program using a smaller model.
Pay attention to preserving the checked properties.
Do not affect the flow of control.
![Page 123: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/123.jpg)
Main idea Use smaller data objects.
x:= f(m)y:=g(n)if x*y>0 then … else …x, y never used again.
![Page 124: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/124.jpg)
How to abstract?
Assign values {-1, 0, 1} to x and y. Based on the following connection:
sgn(x) = 1 if x>0, 0 if x=0, and -1 if x<0.sgn(x)*sgn(y)=sgn(x*y).
![Page 125: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/125.jpg)
Abstraction mapping S - states, I - initial states. L(s) -
labeling. R(S,S) - transition relation. h(s) maps s into its abstract image.
Full model --h--> Abstract model I(s) --> I(h(s)) R(s, t) --> R(h(s),h(t)) L(h(s))=L(s)
![Page 126: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/126.jpg)
Traffic light example
go
stop
stop
![Page 127: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/127.jpg)
go
stop
stop
go
stop
![Page 128: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/128.jpg)
What do we preserve?go
stop
stop
go
stop
Every execution of the full model can be simulated by an execution of the reduced one.
Every LTL property that holds in the reduced model hold in the full one.
But there can be properties holding for the original model but not the abstract one.
![Page 129: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/129.jpg)
Preserved: [](go->O stop)
go
stop
stop
go
stop
Not preserved:
[]<>go
Counterexamples need to be checked.
![Page 130: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/130.jpg)
Symmetry A permutation is a one-one and onto
function p:A->A.For example, 1->3, 2->4, 3->1, 4->5, 5->2.
One can combine permutations, e.g.,p1: 1->3, 2->1, 3->2p2: 1->2, 2->1, 3->3p1@p2: 1->3, 2->2, 3->1
A set of permutations with @ is called a symmetry group.
![Page 131: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/131.jpg)
Using symmetry in analysis Want to find some symmetry group such
that for each permutation p in it,R(s,t) if and only if R(p(s), p(t))and L(p(s))=L(s).
Let K(s) be all the states that can be permuted to s. This is a set of states such that each one can be permuted to the other.
![Page 132: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/132.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
![Page 133: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/133.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
init
The quotient model
![Page 134: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/134.jpg)
What is preserved in the following buffer abstraction? What is not preserved?
eempty
quasi
full
q
q
q
f
![Page 135: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/135.jpg)
Translating from logic to automata
Comment: the language of LTL is a proper subset of the language of Buchi Automata. For example,one cannot express in LTL the following automaton [Wolper]:
a
a ,¬a
![Page 136: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/136.jpg)
Why translating?
Want to write the specification in some logic.
Want model-checking tools to be able to check the specification automatically.
![Page 137: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/137.jpg)
Preprocessing Convert into normal form, where negation
only applies to propositional variables. ¬[] becomes <>¬. ¬<> becomes [] ¬. What about ¬ ( U )? Define operator V such that
¬ ( U ) = (¬) R (¬), ¬ ( R ) = (¬) U (¬).
![Page 138: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/138.jpg)
Semantics of pR q(the Release operator, dual to Until)
p
qqq qq qq
q
q qqq
¬p¬p¬p
¬p ¬p ¬p ¬p ¬p ¬p ¬p ¬p¬p
¬p
![Page 139: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/139.jpg)
Replace ¬T by F, and ¬F by T. Replace ¬ ( \/ ) by (¬) /\ (¬)
and ¬ ( /\ ) by (¬) \/ (¬)
![Page 140: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/140.jpg)
Eliminate implications, <>, []
Replace -> by (¬ ) \/ . Replace <> by (T U ). Replace [] by (F R ).
![Page 141: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/141.jpg)
Example
Translate ( []<>P ) ( []<>Q ) Eliminate implication ¬( []<>P ) \/ (
[]<>Q ) Eliminate [], <>:
¬( F R ( T U P ) ) \/ ( F R ( T U Q ) ) Push negation inwards:
(T U (F R ¬P ) ) \/ ( F R ( T U Q ) )
![Page 142: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/142.jpg)
The data structureIncoming
New Old
NextName
![Page 143: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/143.jpg)
The main idea
U = \/ ( /\ O ( U ) ) R = /\ ( \/ O ( R ) ) This separates the formulas to two
parts:one holds in the current state, and the other in the next state.
![Page 144: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/144.jpg)
How to translate?
Take one formula from “New” and add it to “Old”.
According to the formula, either Split the current node into two, or Evolve the node into a new version.
![Page 145: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/145.jpg)
SplittingIncoming
New Old
Next
Incoming
New Old
Next
Incoming
New Old
Next
Copy incoming edges, update other field.
![Page 146: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/146.jpg)
EvolvingIncoming
New Old
Next
Incoming
New Old
Next
Copy incoming edges, update other field.
![Page 147: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/147.jpg)
Possible cases: U , split:
Add to New, add U to Next. Add to New.Because U = \/ ( /\ O ( U )).
R , split: Add to New. Add to New, R to Next.Because R = /\ ( \/ O ( R )).
![Page 148: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/148.jpg)
More cases:
\/ , split: Add to New. Add to New.
/\ , evolve: Add to New.
O , evolve: Add to Next.
![Page 149: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/149.jpg)
How to start?Incoming
New Old
Next
init
aU(bUc)
![Page 150: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/150.jpg)
Incoming
init
aU(bUc)
Incoming Incoming
aU(bUc)aU(bUc) bUc
aU(bUc)
a
init init
![Page 151: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/151.jpg)
Incoming
aU(bUc)bUc
init initIncoming Incoming
aU(bUc)aU(bUc) c
(bUc)
b
init
![Page 152: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/152.jpg)
When to stop splitting? When “New” is empty. Then compare against a list of existing
nodes “Nodes”: If such a with same “Old”, “Next” exists,
just add the incoming edges of the new versionto the old one.
Otherwise, add the node to “Nodes”. Generate a successor with “New” set to “Next” of father.
![Page 153: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/153.jpg)
Incoming
a,aU(bUc)
aU(bUc)
init
Incoming
aU(bUc)
Creating a successor node.
![Page 154: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/154.jpg)
How to obtain the automaton?
There is an edge from node X to Y labeled with propositions P (negated or non negated), if X is in the incoming list of Y, and Y has propositions P in field “Old”.
Initial nodes are those marked as init.
Incoming
New Old
Next
X
Node Y
a, b, ¬c
![Page 155: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/155.jpg)
The resulted nodes.
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
![Page 156: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/156.jpg)
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
Initial nodes: All nodes with incoming edge from “init”.
![Page 157: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/157.jpg)
Acceptance conditions Use “generalized Buchi automata”, where
there are several acceptance sets F1, F2, …, Fn, and each accepted infinite sequence must include at least one state from each set infinitely often.
Each set corresponds to a subformula of form U . Guarantees that it is never the case that U holds forever, without .
Translate to Buchi acceptance condition (will be shown later).
![Page 158: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/158.jpg)
Accepting w.r.t. bUc (green)
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
All nodes with c, or without bUc.
![Page 159: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/159.jpg)
Acceptance w.r.t. aU(bUc)(blue)
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
All nodes with bUc or without aU(bUc).
![Page 160: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/160.jpg)
Translating Multiple Buchi into Buchi automata
For acceptance sets F1, F2, …, Fn, generate n copies of the automaton.
Move from the ith copy to the i+1th copy when passing a state of Fi.
In the first copy, the states of F1 are accepting.
Same intuition as the unrestricted intersection:Need to see each accepting set infinitely often, and it does not matter that we miss some of them (there must be an infinite supply anyway…).
![Page 161: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/161.jpg)
Conclusions Model checking: automatic verification of
finite state systems. Modeling: affects how we can view and
check the system’s properties. Specification formalisms, e.g., LTL or Buchi
automata Apply graph algorithms (or BDD, or BMD). Methods to alleviate state space explosion. Translate LTL into Buchi automata.
![Page 162: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/162.jpg)
Algorithmic Testing and Black Box
Checking
![Page 163: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/163.jpg)
Why testing? Reduce design/programming errors. Can be done during development,
beforeproduction/marketing.
Practical, simple to do. Check the real thing, not a model. Scales up reasonably. Being state of the practice for decades.
![Page 164: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/164.jpg)
Part 1: Testing of black box finite state machine
Know:Transition relationSize or bound on size
Wants to know:In what state we started?In what state we are?Transition relationConformanceSatisfaction of a temporal property
![Page 165: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/165.jpg)
Finite automata (Mealy machines)
S - finite set of states. (size n)– set of inputs. (size d)O – set of outputs, for each transition.(s0 S - initial state). S S - transition relation. S O – output on edge.
![Page 166: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/166.jpg)
Why deterministic machines?
Otherwise no amount of experiments would guarantee anything.
If dependent on some parameter (e.g., temperature), we can determinize, by taking parameter as additional input.
We still can model concurrent system. It means just that the transitions are deterministic.
All kinds of equivalences are unified into language equivalence.
Also: connected machine (otherwise we may never get to the completely separate parts).
![Page 167: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/167.jpg)
Determinism
When the black box is nondeterministic, we might never test some choices.
b/1a/1
a/1
![Page 168: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/168.jpg)
Preliminaries: separating sequences
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Start with one block containing all states {s1, s2, s3}.
![Page 169: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/169.jpg)
A: separate to blocks of states with different output.
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Two sets, separated using the string b {s1, s3}, {s2}.
![Page 170: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/170.jpg)
Repeat B: Separate blocks based on moving to different blocks.
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Separate first block using b to three singleton blocks.Separating sequences: b, bb.Max rounds: n-1, sequences: n-1, length: n-1.For each pair of states there is a separating sequence.
![Page 171: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/171.jpg)
Want to know the state of the machine (at end). Homing sequence.Depending on output, would know in what
state we are. Algorithm: Put all the states in one block
(initially we do not know what is the state).Then repeatedly partitions blocks of states, as
long as they are not singletons, as follows: Take a non singleton block, append a
distinguishing sequence that separates at least two states.
Update all blocks to the states after executing .
Max length: (n-1)2 (Lower bound: n(n-1)/2.)
![Page 172: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/172.jpg)
Example (homing sequence)
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0{s1, s2, s3}
{s1, s2} {s3}{s1} {s2} {s3}
b
b1 0
011
1
On input b and output 1, still don’t know if was in s1 or s3, i.e., if currently in s2 or s1.So separate these cases with another b.
![Page 173: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/173.jpg)
Synchronizing sequence One sequence takes the machine to
the same final state, regardless of the initial state or the outputs.
Not every machine has a synchronizing sequence.
Can be checked whether exists and can be found in polynomial time.
![Page 174: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/174.jpg)
State identification: Want to know in which state the
system has started (was reset). Can be a preset distinguishing
sequence (fixed), or a tree (adaptive).
May not exist (PSPACE complete to check if preset exists, polynomial for adaptive).
Best known algorithm: exponential length for preset,polynomial for adaptive [LY].
![Page 175: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/175.jpg)
Sometimes cannot identify initial state
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
Start with a:in case of being in s1 or s3 we’ll move to s1 and cannot distinguish.Start with b:In case of being in s1 or s2 we’ll move to s2 and cannot distinguish.
The kind of experiment we do affects what we can distinguish. Much like the Heisenberg principle in Physics.
![Page 176: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/176.jpg)
Conformance testing Unknown deterministic finite state system B. Known: n states and alphabet . An abstract model C of B. C satisfies all the
properties we want from B. C has m states. Check conformance of B and C. Another version: only a bound n on the number
of states l is known.
![Page 177: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/177.jpg)
Check conformance with a given state machine
Black box machine has no more states than specification machine (errors are mistakes in outputs, mistargeted edges).
Specification machine is reduced, connected, deterministic. Machine resets reliably to a single initial state (or use homing
sequence).
s1
s3
s2
a/1
b/0
b/1
a/1
?=
a/1
b/1
![Page 178: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/178.jpg)
Conformance testing [Ch,V]
a/1
b/1
Cannot distinguish if reduced or not.
a/1
b/1
a/1
b/1
a/1
b/1a/1
b/1
![Page 179: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/179.jpg)
Conformance testing (cont.)
ab b
aa
a
a b
b
b
a
Need: bound on number of states of B.
a
![Page 180: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/180.jpg)
Preparation:Construct a spanning tree
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
s1
s2s3
b/1a/1
![Page 181: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/181.jpg)
How the algorithm works?According to the spanning
tree, force a sequence of inputs to go to each state.
1. From each state, perform the distinguishing sequences.
2. From each state, make a single transition, check output, and use distinguishing sequences to check that in correct target state.
s1
s2s3
b/1a/1
Reset or hom
ing
Reset or hom
ing
Distinguishing sequences
![Page 182: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/182.jpg)
Comments1. Checking the different distinguishing
sequences (m-1 of them) means each time resetting and returning to the state under experiment.
2. A reset can be performed to a distinguished state through a homing sequence. Then we can perform a sequence that brings us to the distinguished initial state.
3. Since there are no more than m states, and according to the experiment, no less than m states, there are m states exactly.
4. Isomorphism between the transition relation is found, hence from minimality the two automata recognize the same languages.
![Page 183: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/183.jpg)
Combination lock automaton
Assume accepting states. Accepts only words with a specific suffix
(cdab in the example).
s1 s2 s3 s4 s5bdc a
Any other input
![Page 184: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/184.jpg)
When only a bound on size of black box is known… Black box can “pretend” to behave
as a specification automaton for a long time, then upon using the right combination, make a mistake.
b/1a/1s1
s3
s2
a/1
b/0
b/1
a/1
b/1
Pretends to be S3
Pretends to be S1
a/1
![Page 185: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/185.jpg)
Conformance testing algorithm [VC]
The worst that can happen is a combination lock automaton that behaves differently only in the last state. The length of it is the difference between the size n of the black box and the specification m.
Reach every state on the spanning tree and check every word of length n-m+1 or less. Check that after the combination we are at the state we are supposed to be, using the distinguishing sequences.
No need to check transitions: already included in above check.
Complexity: m2 n dn-m+1
Probabilistic complexity: Polynomial. Distinguishing sequences
s1
s2s3
b/1a/1
Words of length n-m+1
Reset or hom
ing
Reset or hom
ing
![Page 186: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/186.jpg)
Model Checking Finite state description of a system B. LTL formula . Translate into an automaton P. Check whether L(B) L(P)=. If so, S satisfies . Otherwise, the intersection
includes a counterexample. Repeat for different properties.
![Page 187: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/187.jpg)
Buchi automata (-automata) S - finite set of states. (B has l n states) S0 S - initial states. (P has m states) - finite alphabet. (contains p letters) S S - transition relation. F S - accepting states.Accepting run: passes a state in F infinitely
often.System automata: F=S, deterministic, one initial state.
Property automaton: not necessarily deterministic.
![Page 188: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/188.jpg)
Example: check a
a, aa
a <>a
![Page 189: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/189.jpg)
Example: check <>a
aa
a
a<>a
![Page 190: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/190.jpg)
Example: check <>a
Use automatic translation algorithms, e.g., [Gerth,Peled,Vardi,Wolper 95]
aa
a, a<>a
![Page 191: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/191.jpg)
System
c b
a
![Page 192: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/192.jpg)
Every element in the product is a counter example for the checked property.
c b
a
aa
a
a
s1 s2
s3 q2
q1
s1,q1
s1,q2 s3,q2
s2,q1a
b
ca
Acceptance isdetermined byautomaton P.
<>a
![Page 193: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/193.jpg)
Model Checking / Testing Given Finite state
system B. Transition relation of B
known. Property represent by
automaton P. Check if L(B) L(P)=. Graph theory or BDD
techniques. Complexity:
polynomial.
Unknown Finite state system B.
Alphabet and number of states of B or upper bound known.
Specification given as an abstract system C.
Check if B C. Complexity: polynomial
if number states known. Exponential otherwise.
![Page 194: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/194.jpg)
Black box checking [PVY]
Property represent by automaton P.
Check if L(B) L(P)=.
Graph theory techniques.
Unknown Finite state system B.
Alphabet and Upper bound on Number of states of B known.
Complexity: exponential.
![Page 195: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/195.jpg)
Experimentsaa
bb cc
reset
a
ab
b
c
c
try b a
ab
b
c
c
try c
fail
![Page 196: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/196.jpg)
Simpler problem: deadlock?
Nondeterministic algorithm:guess a path of length n from the initial state to a deadlock state.Linear time, logarithmic space.
Deterministic algorithm:systematically try paths of length n, one after the other (and use reset), until deadlock is reached.Exponential time, linear space.
![Page 197: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/197.jpg)
Deadlock complexity Nondeterministic algorithm:
Linear time, logarithmic space. Deterministic algorithm:
Exponential (p n-1) time, linear space. Lower bound: Exponential time (use
combination lock automata). How does this conform with what we
know about complexity theory?
![Page 198: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/198.jpg)
Modeling black box checking
Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed.
We learn the model as we make the experiments.
Can use the model of games of incomplete information.
![Page 199: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/199.jpg)
Games of incomplete information
Two players: player, player (here, deterministic). Finitely many configurations C. Including:
Initial Ci , Winning : W+ and W- . An equivalence relation on C (the player cannot
distinguish between equivalent states). Labels L on moves (try a, reset, success, fail). The player has the moves labeled the same from
configurations that are equivalent. Deterministic strategy for the player: will lead to a
configuration in W+ W-. Cannot distinguish between equivalent configurations.
Nondeterministic strategy: Can distinguish between equivalent configurations..
![Page 200: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/200.jpg)
Modeling BBC as games Each configuration contains an automaton
and its current state (and more). Moves of the player are labeled with
try a, reset... Moves of the -player withsuccess, fail.
c1 c2 when the automata in c1 and c2 would respond in the same way to the experiments so far.
![Page 201: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/201.jpg)
A naive strategy for BBC Learn first the structure of the black box. Then apply the intersection. Enumerate automata with n states
(without repeating isomorphic automata). For a current automata and new automata,
construct a distinguishing sequence. Only one of them survives.
Complexity: O((n+1)p (n+1)/n!)
![Page 202: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/202.jpg)
On-the-fly strategy Systematically (as in the deadlock
case), find two sequences v1 and v2 of length <=m n.
Applying v1 to P brings us to a state t that is accepting.
Applying v2 to P brings us back to t.
Apply v1 v2 n to B. If this succeeds,
there is a cycle in the intersection labeled with v2, with t as the P (accepting) component.
Complexity: O(n2p2mnm).
v1
v2
![Page 203: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/203.jpg)
Learning an automaton Use Angluin’s algorithm for learning an
automaton. The learning algorithm queries whether
some strings are in the automaton B. It can also conjecture an automaton Mi
and asks for a counterexample. It then generates an automaton with
more states Mi+1 and so forth.
![Page 204: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/204.jpg)
A strategy based on learning Start the learning algorithm. Queries are just experiments to B. For a conjectured automaton Mi ,
check if Mi P = If so, we check conformance of Mi with
B ([VC] algorithm). If nonempty, it contains some v1 v2
. We test B with v1 v2
n. If this succeeds: error, otherwise, this is a counterexample for Mi .
![Page 205: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/205.jpg)
Complexity l - actual size of B. n - an upper bound of size of B. d - size of alphabet. Lower bound: reachability is similar to
deadlock. O(l 3 d l + l 2mn) if there is an error. O(l 3 d l + l 2 n dn-l+1+ l 2mn) if there is no error.If n is not known, check while time allows. Probabilistic complexity: polynomial.
![Page 206: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/206.jpg)
Some experiments Basic system written in SML (by Alex
Groce, CMU). Experiment with black box using Unix
I/O. Allows model-free model checking of C
code with inter-process communication. Compiling tested code in SML with BBC
program as one process.
![Page 207: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/207.jpg)
Conclusions Black Box Checking: automatic
verification of unspecified system. A hard problem, exponential in
number of states, but polynomial on average.
Implemented, tested. Another use: when the model is
given, but is not exact.
![Page 208: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/208.jpg)
The rest is not part of this lecture
![Page 209: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/209.jpg)
Part 2: Software testing Testing is not about showing that there
are no errors in the program. Testing cannot show that the program
performs its intended goal correctly.So, what is software testing?Testing is the process of executing the
program in order to find errors.A successful test is one that finds an
error.
![Page 210: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/210.jpg)
Some software testing stages
Unit testing – the lowest level, testing some procedures.
Integration testing – different pieces of code. System testing – testing a system as a whole. Acceptance testing – performed by the
customer. Regression testing – performed after updates. Stress testing – checking the code under
extreme conditions. Mutation testing – testing the quality of the
test suite.
![Page 211: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/211.jpg)
Some drawbacks of testing
There are never sufficiently many test cases.
Testing does not find all the errors. Testing is not trivial and requires
considerable time and effort. Testing is still a largely informal
task.
![Page 212: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/212.jpg)
Black-Box (data-driven, input-output) testing
The testing is not based on the structure of the program (which is unknown).
In order to ensure correctness, every possible input needs to be tested - this is impossible!
The goal: to maximize the number of errors found.
![Page 213: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/213.jpg)
testingIs based on the internal structure of the
program.There are several alternative criterions
for checking “enough” paths in the program.
Even checking all paths (highly impractical) does not guarantee finding all errors (e.g., missing paths!)
![Page 214: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/214.jpg)
Some testing principles A programmer should not test his/her own program. One should test not only that the program does
what it is supposed to do, but that it does not do what it is not supposed to.
The goal of testing is to find errors, not to show that the program is errorless.
No amount of testing can guarantee error-free program.
Parts of programs where a lot of errors have already been found are a good place to look for more errors.
The goal is not to humiliate the programmer!
![Page 215: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/215.jpg)
Inspections and Walkthroughs Manual testing methods. Done by a team of people. Performed at a meeting
(brainstorming). Takes 90-120 minutes. Can find 30%-70% of errors.
![Page 216: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/216.jpg)
Code Inspection Team of 3-5 people. One is the moderator.
He distributes materials and records the errors.
The programmer explains the program line by line.
Questions are raised. The program is
analyzed w.r.t. a checklist of errors.
![Page 217: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/217.jpg)
Checklist for inspections Data declarationAll variables
declared?Default values
understood?Arrays and strings
initialized?Variables with similar
names?Correct initialization?
Control flowEach loop terminates?DO/END statements
match?
Input/outputOPEN statements
correct?Format specification
correct?End-of-file case handled?
![Page 218: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/218.jpg)
Walkthrough Team of 3-5 people. Moderator, as
before. Secretary, records
errors. Tester, play the role
of a computer on some test suits on paper and board.
![Page 219: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/219.jpg)
Selection of test cases (for white-box testing)The main problem is to select a good
coveragecriterion. Some options are:
Cover all paths of the program. Execute every statement at least once. Each decision has a true or false value at least
once. Each condition is taking each truth value at
least once. Check all possible combinations of conditions in
each decision.
![Page 220: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/220.jpg)
Cover all the paths of the program
Infeasible.Consider the flow diagram
on the left.It corresponds to a loop.The loop body has 5 paths.If the loops executes 20times there are 5^20
different paths!May also be unbounded!
![Page 221: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/221.jpg)
How to cover the executions?IF (A>1)&(B=0) THEN X=X/A;
END;IF (A=2)|(X>1) THEN X=X+1;
END;
Choose values for A,B,X. Value of X may change, depending on A,B. What do we want to cover? Paths?
Statements? Conditions?
![Page 222: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/222.jpg)
Statement coverageExecute every statement at least onceBy choosingA=2,B=0,X=3each statement will
be chosen.The case where the
tests fail is not checked!
IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
Now x=1.5
![Page 223: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/223.jpg)
Decision coverageEach decision has a true and false outcome at least once.Can be achieved
using A=3,B=0,X=3 A=2,B=1,X=1
Problem: Does not test individual conditions. E.g., when X>1 is erroneous in second decision.
IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 224: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/224.jpg)
Decision coverage
A=3,B=0,X=3 IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
Now x=1
![Page 225: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/225.jpg)
Decision coverage
A=2,B=1,X=1
The case where A1 and the case where x>1 where not checked!
IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 226: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/226.jpg)
Condition coverageEach condition has a true and false value at least once.
For example: A=1,B=0,X=3 A=2,B=1,X=0
lets each condition be true and false once.
Problem:covers only the path where the first test fails and the second succeeds.
IF (A>1)(A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 227: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/227.jpg)
Condition coverage
A=1,B=0,X=3 IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 228: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/228.jpg)
Condition coverage
A=2,B=1,X=0
Did not check the first THEN part at all!!!
Can use condition+decision coverage.
IF (A>1)(A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 229: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/229.jpg)
Multiple Condition CoverageTest all combinations of all conditions in each test.
A>1,B=0 A>1,B≠0 A1,B=0 A1,B≠0 A=2,X>1 A=2,X1 A≠2,X>1 A≠2,X1
IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 230: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/230.jpg)
A smaller number of cases: A=2,B=0,X=4 A=2,B=1,X=1 A=1,B=0,X=2 A=1,B=1,X=1Note the X=4 in the firstcase: it is due to the factthat X changes beforebeing used!
IF (A>1)&(B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
Further optimization: not all combinations.For C /\ D, check (C, D), (C, D), (C, D).For C \/ D, check (C, D), (C, D), (C, D).
![Page 231: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/231.jpg)
Preliminary:Relativizing assertions
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment
becomes B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0
Think about two sets of variables,before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1=x1’ /\ x2=x2’ /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 232: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/232.jpg)
Verification conditions: tests
C) B)= t(X,Y) /\ C)
D) B)=t(X,Y) /\ D)
B)= D) /\ y2x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 233: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/233.jpg)
How to find values for coverage?
•Put true at end of path.•Propagate path backwards.•On assignment, relativize expression.•On “yes” edge of decision, add decision as conjunction.•On “no” edge, add negation of decision as conjunction.•Can be more specific when calculating condition with multiple condition coverage.
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
![Page 234: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/234.jpg)
How to find values for coverage?
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
A≠2 /\ X>1
(A≠2 /\ X/A>1) /\ (A>1 & B=0)
A≠2 /\ X/A>1Need to find a
satisfying assignment:A=3, X=6, B=0Can also calculate path condition forwards.
![Page 235: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/235.jpg)
How to cover a flow chart? Cover all nodes, e.g., using search strategies:
DFS, BFS. Cover all paths (usually impractical). Cover each adjacent sequence of N nodes. Probabilistic testing. Using random number
generator simulation. Based on typical use. Chinese Postman: minimize edge traversal
Find minimal number of times time to travel each edge using linear programming or dataflow algorithms.Duplicate edges and find an Euler path.
![Page 236: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/236.jpg)
Test cases based on data-flow analysis Partition the program
into pieces of code with a single entry/exit point.
For each piece find which variables are set/used/tested.
Various covering criteria: from each set to each
use/test From each set to
some use/test.
X:=3
z:=z+x
x>y
t>y
![Page 237: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/237.jpg)
Test case design for black box testing Equivalence partition Boundary value analysis Cause-effect graphs
![Page 238: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/238.jpg)
Equivalence partition Goals:
Find a small number of test cases. Cover as much possibilities as you can.
Try to group together inputs for which the program is likely to behave the same.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 239: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/239.jpg)
Example: A legal variable Begins with A-Z Contains [A-Z0-9] Has 1-6 characters.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
![Page 240: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/240.jpg)
Equivalence partition (cont.)
Add a new test case until all valid equivalence classes have been covered. A test case can cover multiple such classes.
Add a new test case until all invalid equivalence class have been covered. Each test case can cover only one such class.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 241: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/241.jpg)
Example
AB36P (1,3,5) 1XY12 (2) A17#%X (4)
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
(6) VERYLONG (7)
![Page 242: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/242.jpg)
Boundary value analysis
In every element class, select values that are closed to the boundary. If input is within range -1.0 to +1.0,
select values -1.001, -1.0, -0.999, 0.999, 1.0, 1.001.
If needs to read N data elements, check with N-1, N, N+1. Also, check with N=0.
![Page 243: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/243.jpg)
Test case generation based on LTL specification
Compiler ModelChecker
Path conditioncalculation
First orderinstantiator
Testmonitoring
Transitions
Path Flow
chart
LTLAut
![Page 244: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/244.jpg)
Goals Verification of software. Compositional verification. Only a unit of code. Parametrized verification. Generating test cases.
A path found with some truth assignment satisfying the path condition. In deterministic code, this assignment guarantees to derive the execution of the path.
In nondeterministic code, this is one of the possibilities.Can transform the code to force replying the path.
![Page 245: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/245.jpg)
Divide and Conquer Intersect property automatonproperty automaton with the
flow chartflow chart, regardless of the statements and program variables expressions.
Add assertions from the property automaton to further restrict the path condition.
Calculate path conditions for sequences found in the intersection.
Calculate path conditions on-the-fly. Backtrack when condition is false.Thus, advantage to forward calculation of path conditions (incrementally).
![Page 246: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/246.jpg)
Spec:¬at l2U (at l2/\ ¬at l2/\(¬at l2U at l2))
¬at l2
at l2
¬at l2
at l2
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
![Page 247: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/247.jpg)
Spec: ¬at l2U (at l2/\ xy /\ (¬at l2/\(¬at l2U at l2 /\ x2y )))
¬at l2
at l2/\xy
¬at l2
at l2/\x2y
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
xy
x2y
![Page 248: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/248.jpg)
Example: GCD
l1:x:=a
l5:y:=z
l4:x:=y
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
![Page 249: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/249.jpg)
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
Oops…with an error (l4 and l5 were switched).
l0
l7
![Page 250: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/250.jpg)
Why use Temporal specification Temporal specification for sequential
software? Deadlock? Liveness? – No! Captures the tester’s intuitionintuition about the
location of an error:“I think a problem may occur when the program runs through the main while loop twice, then the if condition holds, while t>17.”
![Page 251: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/251.jpg)
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
a>0/\b>0/\at l0 /\at l7
at l0/\a>0/\b>0
at l7
![Page 252: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/252.jpg)
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0? yesno
l0
l7
a>0/\b>0/\at l0/\at l7
Path 1: l0l1l2l3l4l5l6l7a>0/\b>0/\a rem b=0
Path 2: l0l1l2l3l4l5l6l3l4l5l6l7 a>0/\b>0/\a rem b0
![Page 253: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/253.jpg)
Potential explosion
Bad point: potential explosionGood point: may be chopped on-the-fly
![Page 254: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/254.jpg)
![Page 255: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/255.jpg)
![Page 256: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/256.jpg)
![Page 257: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/257.jpg)
![Page 258: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/258.jpg)
![Page 259: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/259.jpg)
![Page 260: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/260.jpg)
![Page 261: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/261.jpg)
![Page 262: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/262.jpg)
![Page 263: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/263.jpg)
![Page 264: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/264.jpg)
![Page 265: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/265.jpg)
![Page 266: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/266.jpg)
![Page 267: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/267.jpg)
![Page 268: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/268.jpg)
Drivers and Stubs Driver: represents the program
or procedure that called our checked unit.
Stub: represents a procedure called by our checked unit.
In our approach: replace both of them with a formula representing the effect the missing code has on the program variables.
Integrate the driver and stub specification into the calculation of the path condition.
l1:x:=a
l5:x:=y
l4:y:=z
l3:z’=x rem y/\x’=x/\y’=x
l2:y:=b
l6:z=0? yesno
l0
l7
![Page 269: Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062520/56816008550346895dcf0a6e/html5/thumbnails/269.jpg)
Conclusions Black box testing: Know transition relation,
or bound on number of states, want to find initialstate, structure, conformance, temporal property.
Software testing:Unit testing, code inspection, coverage, test case generation.
Model checking and testing have a lot in common.